CVE-2025-34301 is a stored cross-site scripting (XSS) vulnerability identified in IPFire, an open-source firewall distribution widely used for network security. The vulnerability exists in versions prior to 2.29 (Core Update 198) and arises from improper neutralization of input during web page generation, specifically in the handling of the COUNTRY_CODE parameter when creating location groups. When an authenticated user submits a POST request with ACTION=savelocationgrp, the COUNTRY_CODE parameter's value is stored and later rendered in the web interface without proper sanitization or encoding. This flaw allows an attacker with valid credentials to inject malicious JavaScript code that will execute in the browsers of other users who view the affected page. The vulnerability is classified under CWE-79, indicating cross-site scripting due to improper input validation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), and user interaction (victim must view the malicious content). The impact is limited to the web interface context, potentially enabling session hijacking, unauthorized actions, or information disclosure within the IPFire management console. No public exploits have been reported yet, but the vulnerability poses a risk to environments relying on IPFire for perimeter security.

For European organizations, this vulnerability could lead to unauthorized execution of scripts within the IPFire management interface, potentially allowing attackers to hijack sessions, perform unauthorized administrative actions, or steal sensitive information from the firewall's web console. Since IPFire is often deployed in critical network infrastructure, exploitation could undermine network security controls, leading to broader compromise. The requirement for authentication limits exposure to insiders or compromised accounts, but the risk remains significant in environments with multiple administrators or where credential theft is possible. The vulnerability could disrupt operations, degrade trust in firewall integrity, and increase the attack surface for further intrusions. Organizations in sectors such as government, finance, energy, and telecommunications, which rely heavily on robust firewall solutions, may face heightened risks.

Organizations should immediately upgrade IPFire installations to version 2.29 (Core Update 198) or later, where this vulnerability is addressed. If upgrading is not immediately feasible, administrators should restrict access to the IPFire web interface to trusted networks and users only, employing strong authentication mechanisms such as multi-factor authentication (MFA). Additionally, monitoring and auditing of administrative actions and user accounts should be enhanced to detect suspicious activity. Web application firewalls (WAFs) or reverse proxies can be configured to sanitize or block suspicious input patterns targeting the COUNTRY_CODE parameter. Educating administrators about the risks of XSS and encouraging cautious handling of location group creation can reduce the likelihood of exploitation. Regular vulnerability scanning and penetration testing focused on the firewall management interface can help identify residual risks.